HunterSuite.io , The doors are open.
Hello, everyone; welcome to our latest blog post.
TL;DR
We are thrilled to announce, HunterSuite is now available and accessible worldwide. From individuals to enterprises, if you are doing penetration testing (red teaming, bug bounty hunting, corporate security, etc.) You might want to check out HunterSuite.io now.
This post will be all about our journey toward building and releasing HunterSuite. (no idea what’s going on? Read this and this and this) If you have been following us on Twitter, you probably know we did a (limited) soft launch almost few months ago. Meanwhile, we have been fixing tenths of bugs adding and removing features, and getting ready for a public release. At HunterSuite, we tried to bring the best of both manual and automated analysis together, and we have had some notable progress so far.
A brief timeline
Late 2019
Team up: the idea is there, the team is there. We gather together, shake hands and promise to finish the job.
The whole covid-19 2020
we built and deployed the first MVP, set up our company, shared access with ten people on step one, around 100 on step two and around 300 hundreds on step three, and finally 500+ and so forth.
Here we are 2021
being lucky and having hundreds of users on our beta program, we monitored a full month for pesky bugs and fixed so many of them; we listened carefully to our users and tried to peak best features for public release. We also received pre-seed funding from our core members which allowed us to spend more time on our idea.Now that we are releasing a public edition, we like to share our journey during implementing HunterSuite with you.
Let’s start with Our non-technical nemesis.
What are we building and why?
We started the idea because we thought current automation just doesn’t cut it. We had some previous attempts a few years ago, but for HunterSuite, we were not sure what will be the final product.
We asked ourselves questions like should we focus on recon, or should we focus more on OSINT? Should we focus on building individual plugins, or should we focus on vulnerability scanning at scale?
These questions have been asked endlessly till now. Thanks to our beta users, we understand most of the users are engaging in four main areas.
Visualized and accessible recon
Asset monitoring
Vulnerability scanning at scale
Semi-automated on-demand (plugin) scans (selective assets)
We believe attack surface analysis is the new norm for testing how safe organizations are from outside threats. Why? Because it always takes the weakest ring in an organization to break into one. And here we are not talking about bug bounties with rules and scope; we are talking about every possible means to gain initial access.
Legal and law and morality
We had some issues here, not with the law but with morality; we didn’t want to give easy access to various organizations to bad guys. We didn’t want to add any hard KYC because the InfoSec community cares a lot about privacy, so what can we do?
To solve this one, we first made sure we complain fully of our local law. We did also make sure to add white list filters on targets individuals can access. Then we add an extra layer of security to ask for validation to gain access to the non-jailed engine. Here is how it looks now.
Individuals can add all public bounty programs.
Individuals can add all private bounty programs.
Corporates, legal entities, validated individuals (e.g., penetration testing companies, known full-time bounty hunters, freelance penetration tester) can add any target.
Pricing?
We do all the scans on the clouds, which means we pay the rent for every minute we are processing the data, which indicates our costs. On the other hand, Unlike colossal commercial scanners, we didn’t want to make it something that costs too much that only enterprises can afford. Our base idea was to make it accessible for everyone, and we are glad we stayed on that. HunterSuite currently costs up to 1/20 of many commercial scanners and arguably brings way more value to corporate and individuals.
Trial System
a lot of users asked for a trial system and we weren’t so sure what to give away. We ended up making full recon data of hundreds of public (limited version of our essential edition) programs for all registered users; we also implemented a full sandbox demo for enterprises.(you can get a dark suite edition demo here.)
Growth
We also asked ourselves should we rush, asking investors and influencers to help us spread and grow the idea?We did not market our tool before we are confident enough we can build , scale and support it. More importantly, we were not so sure you’ll love it as much as we do, we take it slowly, and we keep growing slowly because our belief was to release something matter rather than trying to sell a half-baked idea. But in the end, we got overwhelming support, and here we are, ready to rock and roll.
Let’s welcome our technical our nemesis
It wasn’t all office work and tinkering, but implementation was also fascinating and, some days, frustrating. Solving our non-technical nemesis leads us to our technical nemesis.
Scanning large organization
When it comes to recon, we were greedy and perfectionist. We wanted to find more data (subdomains, alive assets, etc.) than existing tools, and we wanted to make it easily searchable, sortable and understandable. Everything was good till we start scanning large organizations. We said hello to Kubernetes start implementing it for our scaling solution, and here was the result on real-world targets.
Google.com
Scan engine breaks
Dashboard Hardly shows the data (takes long minutes)
Microsoft.com
Scan engine breaks
Dashboard hardly loads assets.Yahoo.com (more than half a million assets)
Scan engine never finishes.
Dashboard breaks as well.
Scanning google.com, microsoft.com, and yahoo.com at the same time? K8s breaks as well! Nice one!
Please note we wanted to do these scans in real-time and show progress and our base scans consist of 40 steps now! now imagine doing this with 1000 target or 10000 targets at the same time! is it even doable?
From the very first scanners until today’s modern scanners, there was and still is a big problem. Scans never finish on large organizations. Even many well known commercial scanners of the modern-day still have this issue. It will take so long that we (testers) end up giving it up.
Another issue is almost all modern corporates have some firewall or WAF in place, and sending so many packets always ends up getting banned, so you can’t even ensure the scanner could find any vulnerability.
Yes, you can ask nicely for your vulnerability assessment to your target organization to disable their protections in place (e.g., WAF), but our subject is all about 0-knowledge, blackbox security testing.
We struggled with this problem for months, and we finally ended up implementing our scaling engine plus something we internally call smart timeouts, which ensures the scans finish and you’ll get the maximum amount of data out of a target in a very reasonable time. (max 24 hours, usually within 2 hours !)
Parsing large targets
Next issue as a tester what kind of information will be most useful to us? IP addresses? DNS information? Obscure subdomains? Technology stack? Open ports? Okay, they all seem very useful, but when we load millions of assets with this amount of information even chunked, it took few minutes to do a basic search on these assets (because of our complex DB relationships and heavy load). We struggled with this one quite a while too.
We ended up solving it by optimizing and re-writing our queries and changing our table structures. Now our database with our new queries load millions of assets within seconds!
Monitoring
The next big issue in our list was monitoring. We needed to re-scan hundreds of organizations simultaneously, find and report new assets, and file a report on what changed in existing assets. This informations can be critical because tomorrow, you might find a new vulnerable asset (because of still being in dev) or a change in some authentication endpoint. Again we faced the same old problem large organizations with millions of assets produce millions of changes, which wasn’t useful for a tester because it was too overwhelming. It also fills up gigabytes of database engine very fast.
We solved this one by filtering less attractive notifications and introduced a new feature which we call alive assets (checking for DNS, HTTP(S) ports, tech, etc.)
Vulnerability scanner
How to write a vulnerability scanner which brings value? That’s a billion-dollar question.
Web application scanners are out there so are the exploitation frameworks and network scanners. we didn’t want to re-invent the wheel without bringing something new on the table.
We thought about web scanning at scale, but do you remember the old nemesis (big targets)? In most cases, it didn’t make any sense to crawl and scan billions of links. It wasn’t just doable with current tech and without building a web scanner engine built to work on scale.
Our vulnerability scanner (which we open sourced) takes a different approach and perfectly matches our recon engine. Our researchers, manually analyze the most impactful recent vulnerabilities and add them to our vulnerability database. We did a lot of work on modern misconfigurations and reproducible issues.
Coverage for recent CVEs? ✅
Workaround for IP based blocking and rate limitations? ✅
Coverage for impactful misconfigurations and info leaks? ✅
Coverage for modern web frameworks (Django, laravel, express, etc.)? ✅
At scale and 0-click? ✅
Early update and 0-day coverage ? ✅
Tricks to bypass the first 403? ✅
It would help if you got the idea by now, focusing on sending the least traffic and getting maximum vulnerabilities. We gathered more than nearly 500 signatures during the past year, and we are continually doing so. You can check out the whole database here.
We are updating our signature databases weekly (in case of hot entities daily), and with our scalable, fast engine, we continually find new vulnerabilities on high profile organizations.
You might ask does it find anything serious? Well, our approach found valid vulnerabilities on Alexa top 100 websites and public (heavily tested) bug bounty programs, so the chance of working on less popular organizations, private programs and your penetration testing clients is even way higher.
Time to compare ?
Our technical nemesis should be a good point of view for comparing HunterSuite to similar tools (current and to come). During the past few months, we see some other apps that tried to replicate HunterSuite. We are glad we have such an impact (despite not being known by 0.01% of the community yet). Seeing more upcoming platforms doesn’t concern us much because we believe this is the way to go, not we are the ones you should choose. On the other hand, We always try our best to bring something new to the table , provide top-notch support and implement exciting ideas.
Okay, let’s re-cap how HunterSuite is helping you.
All you have to do as a security tester is visit your dashboard ever few days to get new assets to work on (manually analyzing them or use our plugins) on Mondays and Thursdays. We do this in order to get new assets , new screenshots and changes on assets !
And if you are using our DarkSuite edition, we will scan all your live assets on Sundays, which means a 0-click vulnerability report, ensuring scans finish and you see actual results. How cool is that?
It’s like having the best of both automation and manual work on a single roof. We hope when you start using HunterSuite, you feel like starting a penetration test from day 14 instead of day 1.
The most important reason you might want to use HunterSuite is you save an unbelievable amount of time (what matters more ?). Instead of running and managing VPS, writing and fixing the pipeline, and gathering information around trending vulnerabilities, you focus on finding and killing them;. It takes us countless days of non-stop work to get here, which you can save.
And please note HunterSuite does not interfere with your current solution, and you can easily use it with your other favorite security tools, aka Burp. All you have to do is open your dashboard throw your burp proxy, and start working on any asset you find exciting.
Finally, a team with you, when you join HunterSuite, we are glad to have you on board. We rarely replied to an inquiry later than 24 hours, and we do care about your opinion and feedback. Chances are your excellent idea land on newer versions.
Conclusion
Are you convinced to give us a try? You can start your trial (essential edition) here. Or you can go for a dark suite edition demo here.
So? Is this the end? not really, It’s more like the beginning. we got big plans, we plan to add API access (to integrate HunterSuite to your CI/CD), renew our UX, and add many new cool features this year. Here is our current roadmap.
If you are already using HunterSuite, you might want to check out our biggest change-log here.
We can’t wait to see all of you around and we are ready for round two !
Love the idea and want to be part of shaping the future together? We are ready to pitch you. Please contact us for an online meeting.
With ❤ HunterSuite Team
